I am working on a project trying to setup Remote Access IPsec VPN for my customer. I am using a ASA 5520 terminating VPN. The authentication path is like this: ASA5520 --- ACS 3.2 ---- Token Server. The Token server has accounts for all the employees of the company. The ACS server does not have any static accounts configured, it simply forward the Radius request to the Token server. The Remote Access IPsec VPN is designed for sales department use only. I have setup the system, but under the current setup, anyone that has a token card can pass the authentication and connect to the VPN.
My question is: how to configure the ASA or ACS server to allow ONLY sales persons to connect to the VPN while using the company provided Token card.
Thanks a lot!